Splunk Search

search and index problem..(Trial license has expired/updated to free license version)

hylee
Explorer

Trial license has expired, so updated to free license version.
However, still does not search, and data does not index.

error message below..
"Alerts - Permanent" - 8 license window warnings reported by 1 indexer

How should I solve this problem?

Tags (3)
0 Karma

grijhwani
Motivator

Cut down the amount of data you are indexing. The indexing should continue, even if you have blown your daily licence cap, but searching facilities are disabled whilst you have a specific number of violations within the last 30 day window. On a free licence your it will stop after 3, on an enterprise licence after 5.

Just how much are you indexing?

For explanation of licence violations see http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutlicenseviolations

0 Karma

grijhwani
Motivator

In that case you have something odd going on.

Try this search:

index="_internal" source="*license_usage.log" type="Usage" | convert timeformat="%Y-%m-%d (%a)" ctime(_time) as ISODate | eval MB=b/1024/1024 | chart eval(round(sum(MB),0)) over date_hour by ISODate limit=0 | addcoltotals labelfield=date_hour | addtotals

It is more detailed than you need, but it should tell you what the service thinks you are indexing.

If you are running on linux (you don't specify your platform) I have a suspicion you may be falling foul of rotated logs being detected as new files and re-indexed.

0 Karma

hylee
Explorer

695MB means total..almost 2months..10~20MB a day..

0 Karma

grijhwani
Motivator

There's your problem. A free licence only allows a max of 500MB a day.

0 Karma

hylee
Explorer

total of 695MB..

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...